ANU Announces Data Breach; “Significant” Amount of Data Accessed

By Eliza Croft, Tristan Khaw, and Rebecca Zhong

ANU has announced it has been the victim of a data breach. The breach occurred in late 2018, and was first noticed two weeks ago. Data going back 19 years, including phone numbers, tax file numbers, and bank account details, was accessed.

The University announced the breach this morning, with an email to staff and students from Vice Chancellor Brian Schmidt, a Facebook post, and information on its website.

According to Schmidt’s announcement, “significant amounts of personal staff, student and visitor data extending back 19 years” was accessed. This included addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. However, Schmidt said that what information was accessed would vary person-to-person, “depending on the information [they] have provided to the University”. The University’s FAQ section says, “At this stage, we only have evidence that data was copied [rather than altered].”

ANU has emphasised that information within ANU email accounts (such as email contents) was not accessed, and neither were credit card details, travel information, medical records, police checks, or vehicle registration numbers. Schmidt also said there is “no evidence that research work has been affected”.

The breach was first detected on 17 May. A University spokesperson said that the reason for the delay in announcing the breach was that the University has been “hardening the [IT] systems”. In his announcement, Schmidt said that staff had been “working tirelessly to further strengthen our systems against secondary or opportunistic attacks”.

Beyond saying the breach was committed by a “sophisticated operator”, the University was not able to say who was responsible or what their motivation may have been. “Attribution is difficult, and we are not able to attribute this attack,” the University’s FAQ page says. Schmidt said ANU is “working closely with Australian government security agencies and industry security partners to investigate further”.

This is not the first time ANU has experienced a significant data breach. In July 2018, ANU announced that there had been a data breach over a span of several months. This prompted a number of IT security changes and upgrades. However, a University spokesperson confirmed that the latest breach occurred after the implementation of these changes. “Had it not been for those upgrades, we would not have detected this incident,” Schmidt said.

One of the changes that followed the previous breach was making staff and students change their passwords every 180 days. The spokesperson said a more stringent password change policy was not being considered “at this stage”. However, they said that students should “monitor any suspicious activity”, including phishing emails, and report these to IT Security.

The ANU Chief Information Security Officer Suthagar Seevaratnam has issued general advice on ways to keep personal information safe, such as resetting your password and scrutinising emails you receive. The Office of the Australian Information Commissioner also provides information about what to do if informed of a data breach.

Those with concerns or questions can contact ANU’s helpline by phoning 1800 275 268 or emailing [email protected]. Schmidt stated the University has also “increased counselling resources”. The University spokesperson acknowledged it is “already a stressful time” for students, being exam period. “If students feel extra distressed and they think that they might need special consideration, they can apply for that,” they said.

Support is available:

ANU Counselling – (02) 6125 2442

ANU Crisis Student Support Line – Phone: 1300 050 327; Text: 0488 884 170

Lifeline – 13 11 14

Know something we don’t know? Email [email protected] or use our anonymous tip submission.

If you have an issue with this article, or a correction to make, you can contact us at [email protected], submit a formal dispute, or angery react the Facebook post.

Want to get involved? You can write articles, photograph, livestream or do web support. We’re also looking for someone to yell “extra!” outside Davey Lodge at 1AM. Apply today!